Version 1.1
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2017-13077, CVE-2017-13078, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 | Mathy Vanhoef, Frank Piessens |
| CVE-2017-15818, CVE-2017-15825, CVE-2017-15828, CVE-2018-3573 | derrek (https://twitter.com/derrekr6) |
| CVE-2017-15844, CVE-2018-11275, CVE-2018-3586 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/Â for individual credit information. |
| CVE-2018-11265 | Baozeng Ding (sploving) |
| CVE-2018-11270, CVE-2018-11273, CVE-2018-11276, CVE-2018-11286, CVE-2018-11295, CVE-2018-11301, CVE-2018-11832, CVE-2018-3570 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2018-11293, CVE-2018-11297, CVE-2018-11302 | Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2018-11298, CVE-2018-11300, CVE-2018-11904, CVE-2018-3574 | Hao Chen(@flankersky) and Guang Gong(@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. |
| CVE-2018-11818 | Pengfei Ding (ä¸é¹é£ž), Chenfu Bao (包沉浮), and Lenx Wei (韦韬) of Baidu X-Lab (百度安全实验室). |
| CVE-2018-11886 | Gengjia Chen ( @chengjia4574 ) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2018-11893 | C0RE Team |
| CVE-2018-11902 | Dokyung Song, Dipanjan Das, Felicitas Hetzelt |
| CVE-2018-3597 | Peter Pi of Tencent Security Platform Department |
| CVE-2018-5905 | dingpengfei |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2017-13077 | Critical | WLAN HOST | 8/25/2017 |
| CVE-2017-13078 | Critical | WLAN HOST | 8/25/2017 |
| CVE-2017-13080 | Critical | WLAN HOST | 8/25/2017 |
| CVE-2017-13082 | Critical | WLAN HOST | 8/25/2017 |
| CVE-2017-13086 | Critical | WLAN HOST | 8/25/2017 |
| CVE-2017-13087 | Critical | WLAN HOST | 8/25/2017 |
| CVE-2017-13088 | Critical | WLAN HOST | 8/25/2017 |
| CVE-2017-15818 | High | Trusted Execution Environment | 7/17/2017 |
| CVE-2017-15825 | Medium | Boot | 8/13/2017 |
| CVE-2017-15828 | Medium | Trusted Execution Environment | 8/6/2017 |
| CVE-2017-15844 | Medium | Boot | 10/13/2017 |
| CVE-2018-11265 | Medium | Qualcomm IPC | 3/6/2018 |
| CVE-2018-11270 | Medium | Connectivity | 3/1/2018 |
| CVE-2018-11273 | Medium | Audio | 2/7/2018 |
| CVE-2018-11274 | High | Audio | Internal |
| CVE-2018-11275 | High | Boot | 3/26/2018 |
| CVE-2018-11276 | Medium | Kernel | 2/7/2018 |
| CVE-2018-11278 | High | Video | Internal |
| CVE-2018-11280 | High | Data Network Stack & Connectivity | Internal |
| CVE-2018-11281 | High | Data Network Stack & Connectivity | Internal |
| CVE-2018-11286 | Medium | Video | 4/12/2017 |
| CVE-2018-11293 | Medium | WLAN HOST | 12/12/2017 |
| CVE-2018-11294 | Medium | WLAN HOST | Internal |
| CVE-2018-11295 | High | WLAN HOST | 2/2/2018 |
| CVE-2018-11296 | High | WLAN HOST | Internal |
| CVE-2018-11297 | High | WLAN HOST | 12/12/2017 |
| CVE-2018-11298 | Medium | WLAN HOST | 1/16/2018 |
| CVE-2018-11299 | High | WLAN HOST | Internal |
| CVE-2018-11300 | Medium | WLAN HOST | 12/28/2017 |
| CVE-2018-11301 | Medium | WLAN HOST | 1/11/2018 |
| CVE-2018-11302 | Medium | WLAN HOST | 2/27/2018 |
| CVE-2018-11818 | Medium | Display | 12/13/2017 |
| CVE-2018-11826 | High | WLAN HOST | Internal |
| CVE-2018-11827 | High | WLAN HOST | Internal |
| CVE-2018-11832 | Medium | PMIC | 2/28/2018 |
| CVE-2018-11836 | High | WLAN HOST | Internal |
| CVE-2018-11840 | High | WLAN HOST | Internal |
| CVE-2018-11842 | High | WLAN HOST | Internal |
| CVE-2018-11843 | High | WLAN HOST | Internal |
| CVE-2018-11851 | High | WLAN HOST | Internal |
| CVE-2018-11852 | High | WLAN HOST | Internal |
| CVE-2018-11860 | High | WLAN HOST | Internal |
| CVE-2018-11863 | High | WLAN HOST | Internal |
| CVE-2018-11868 | High | WLAN HOST | Internal |
| CVE-2018-11869 | High | WLAN HOST | Internal |
| CVE-2018-11878 | High | WLAN HOST | Internal |
| CVE-2018-11883 | High | WLAN HOST | Internal |
| CVE-2018-11886 | High | WLAN HOST | 3/1/2018 |
| CVE-2018-11889 | High | WLAN HOST | Internal |
| CVE-2018-11891 | High | WLAN HOST | Internal |
| CVE-2018-11893 | Medium | WLAN HOST | 4/20/2018 |
| CVE-2018-11894 | High | WLAN HOST | Internal |
| CVE-2018-11895 | High | WLAN HOST | Internal |
| CVE-2018-11897 | High | WLAN HOST | Internal |
| CVE-2018-11898 | High | WLAN HOST | Internal |
| CVE-2018-11902 | High | WLAN HOST | 4/3/2018 |
| CVE-2018-11903 | High | WLAN HOST | Internal |
| CVE-2018-11904 | High | WLAN HOST | 1/22/2018 |
| CVE-2018-3570 | Medium | Power | 11/10/2017 |
| CVE-2018-3573 | Medium | Boot | 10/2/2017 |
| CVE-2018-3574 | Medium | Kernel | 11/1/2017 |
| CVE-2018-3586 | Medium | DSP Service | 10/25/2017 |
| CVE-2018-3597 | High | DSP Service | 11/2/2017 |
| CVE-2018-5889 | High | Boot | Internal |
| CVE-2018-5905 | Medium | Core Services | 12/8/2017 |
CVE-2017-13077
CVE-2017-13078
CVE-2017-13080
| CVE ID | CVE-2017-13080 |
| Title | Cryptographic Issues in WLAN |
| Description | Cryptographic issues can occur during the 4-way handshake and the group key handshake of the WPA/WPA2 protocol. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 8/25/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2017-13082
| CVE ID | CVE-2017-13082 |
| Title | Cryptographic Issues in WLAN |
| Description | Cryptographic issues can occur during the Fast BSS transmission handshake of the WPA/WPA2 protocol. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 8/25/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2017-13086
| CVE ID | CVE-2017-13086 |
| Title | Cryptographic Issues in WLAN |
| Description | Cryptographic issues can occur during the TDLS handshake of the WPA/WPA2 protocol. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 8/25/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-13087
| CVE ID | CVE-2017-13087 |
| Title | Cryptographic Issues in WLAN |
| Description | Cryptographic issues can occur while processing Wireless Network Management Sleep Mode Response frames. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 8/25/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2017-13088
| CVE ID | CVE-2017-13088 |
| Title | Cryptographic Issues in WLAN |
| Description | Cryptographic issues can occur while processing Wireless Network Management Sleep Mode Response frames. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 8/25/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2017-15818
| CVE ID | CVE-2017-15818 |
| Title | Interger Overflow to Buffer Overflow in Core |
| Description | While loading a user application in qseecom, an integer overflow could potentially occur if the application partition size is rounded up to page_size. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 7/17/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15825
| CVE ID | CVE-2017-15825 |
| Title | Out of bounds access when accessing partition entries in update gpt |
| Description | While processing a gpt update, an out of bounds memory access may potentially occur. |
| Technology Area | Boot |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/13/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15828
| CVE ID | CVE-2017-15828 |
| Title | Integer Overflow to Buffer Overflow vulnerability in bootloader |
| Description | While accessing the keystore in LK, an integer overflow vulnerability exists which may potentially lead to a buffer overflow. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/6/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15844
| CVE ID | CVE-2017-15844 |
| Title | Potential information disclosure in write_device_info_flash() |
| Description | In the function write_device_info_flash(), uninitialized memory can be written to flash. |
| Technology Area | Boot |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/13/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-11265
| CVE ID | CVE-2018-11265 |
| Title | Buffer Copy Without Checking Size of Input in Core |
| Description | Possible buffer overflow while incrementing the log_buf of type uint64_t in memcpy function, since the log_buf pointer can access the memory beyond the size to store the data after pointer increment. |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/6/2018 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11270
| CVE ID | CVE-2018-11270 |
| Title | Double Free in Wired Connectivity |
| Description | Memory allocated with devm_kzalloc is automatically released by the kernel if the probe function fails with an error code. This may result in data corruption. |
| Technology Area | Connectivity |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/1/2018 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11273
| CVE ID | CVE-2018-11273 |
| Title | Double Free in Audio |
| Description | voice_svc_dev’ is allocated as a device-managed resource. If error ‘cdev_alloc_err’ occurs, ‘device_destroy’ will free all associated resources, including ‘voice_svc_dev’ leading to a double free. |
| Technology Area | Audio |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/7/2018 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11274
| CVE ID | CVE-2018-11274 |
| Title | Buffer Copy Without Checking Size of Input in Audio |
| Description | Buffer overflow may occur when payload size is extremely large such as 2^31 -1. |
| Technology Area | Audio |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11275
| CVE ID | CVE-2018-11275 |
| Title | Information Exposure in Boot |
| Description | When flashing image using FastbootLib if size is not divisible by block size, information leak occurs. |
| Technology Area | Boot |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 3/26/2018 |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11276
| CVE ID | CVE-2018-11276 |
| Title | Double Free Issue in Kernel |
| Description | Double free of memory allocated with devm_kzalloc() is possible in arm_memlat_mon_driver_probe() when it explicitly tries to free that memory using kfree() on driver probe failure, since memory allocated with devm_kzalloc() is automatically freed on probe failures. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/7/2018 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11278
| CVE ID | CVE-2018-11278 |
| Title | Buffer Over-read in Video |
| Description | Venus HW searches for start code when decoding input bit stream buffers. If start code is not found in entire buffer, there is over-fetch of 512 bytes beyond allocation length. This leads to page fault. |
| Technology Area | Video |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11280
| CVE ID | CVE-2018-11280 |
| Title | Improper Input Validation in MODEM |
| Description | While processing user-space IPA IOCTL IPA_IOC_ALLOC_NAT_TABLE there is no size validation of the NAT entry input. If the user input size of the NAT entry is greater than the max allowed size of 64K, memory exhaustion will occur. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11281
| CVE ID | CVE-2018-11281 |
| Title | Use After Free in Data |
| Description | While calling IPA_IOC_MDFY_RT_RULE IPA IOCTL, header entry is not checked before use. If IPA_IOC_MDFY_RT_RULE IOCTL called for header entries formerly deleted, a Use after free condition will occur. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11286
| CVE ID | CVE-2018-11286 |
| Title | Use After Free in Video |
| Description | While accessing global variable “debug_client” in multi-thread manner, Use after free issue occurs |
| Technology Area | Video |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/12/2017 |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11293
| CVE ID | CVE-2018-11293 |
| Title | Buffer Over-read in WLAN |
| Description | In wma_ndp_confirm_event_handler and wma_ndp_indication_event_handler, ndp_cfg len and num_ndp_app_info is from fw. If they are not checked, it may cause buffer over-read once the value is too large. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | AdjacentNetwork |
| Security Rating | Medium |
| Date Reported | 12/12/2017 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11294
| CVE ID | CVE-2018-11294 |
| Title | Always-Incorrect Control Flow Implementation in WLAN |
| Description | wma_unified_link_iface_stats_event_handler indication from the firmware gets the information for 4 access categories ( num_ac = WIFI_AC_MAX ) . While processing this information only the first 3 AC information is copied due to the improper conditional logic used to compare with the max number of categories (WIFI_AC_MAX). |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-670 Always-Incorrect Control Flow Implementation |
| Access Vector | AdjacentNetwork |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11295
| CVE ID | CVE-2018-11295 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | wma_passpoint_match_event_handler carries a fixed event data from the firmware to the host . If the length and anqp length from this event data exceeds the max length of this fixed data WMI_SVC_MSG_MAX_SIZE , an OOB write would happen. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 2/2/2018 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11296
| CVE ID | CVE-2018-11296 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | While processing a message from firmware in htt_t2h_msg_handler_fast(), a buffer overwrite can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11297
| CVE ID | CVE-2018-11297 |
| Title | Buffer Over-read in WLAN |
| Description | A buffer over-read can occur In the WMA NDP event handler functions due to lack of validation of input value event_info which is recieved from FW. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 12/12/2017 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11298
| CVE ID | CVE-2018-11298 |
| Title | Possible Buffer Overflow in WLAN |
| Description | While processing SET_PASSPOINT_LIST vendor command HDD does not make sure that the realm string that gets passed by upper-layer is NULL terminated. This may lead to buffer overflow as strlen is used to get realm string length to construct the PASSPOINT WMA command. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/16/2018 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11299
| CVE ID | CVE-2018-11299 |
| Title | Improper Validation of Array Index in WLAN |
| Description | When WLAN FW has not filled the vdev id correctly in stats events then WLAN host driver tries to access interface array without proper bound check which can lead to invalid memory access and as a side effect kernel panic or page fault |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11300
| CVE ID | CVE-2018-11300 |
| Title | Possible Use After Free in WLAN |
| Description | It is observed that the callback executed from the other thread has freed “cfgState->remain_on_chan_ctx,” which is also used in wlan_hdd_execute_remain_on_channel and may result in to a “Use after free” scenario. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/28/2017 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11301
| CVE ID | CVE-2018-11301 |
| Title | Integer Underflow in WLAN |
| Description | While processing debug log event (WMI_DEBUG_MESG_EVENTID) from firmware: (a) If the value of length field extracted from the event buffer is less than the size of Integer, Integer underflow can occur. (b) If the size of number of debug log arguments calculated is greater than the event buffer size, a buffer over-read can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-191 Integer Underflow (Wrap or Wraparound) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/11/2018 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11302
| CVE ID | CVE-2018-11302 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | When SETCCKMIE command comes from user space, length of the command is compared with “DOT11F_IE_RSN_MAX_LEN” and this command is passed to csr where the memcopy is being done for the length of “CSR_DOT11F_IE_RSN_MAX_LEN” which is smaller then “DOT11F_IE_RSN_MAX_LEN” and resulting in array overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/27/2018 |
| Customer Notified Date | 6/4/2018 |
| Patch |
CVE-2018-11818
| CVE ID | CVE-2018-11818 |
| Title | Use After Free in Display |
| Description | LUT configuration is passed down to driver from userspace via ioctl. Simultaneous update from userspace while kernel drivers are updating LUT registers can lead to race condition. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/13/2017 |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11826
| CVE ID | CVE-2018-11826 |
| Title | Potential buffer overflow in wma_extscan_change_results_event_handler |
| Description | In wma_extscan_change_results_event_handler the rssi_num is calculated by cumulating the src_chglist->num_rssi_samples for the number of aps(numap) in this event. If the src_chglist->num_rssi_samples is higher than UINT_MAX or is negative, it will lead to integer overflow of rssi_num which could cause OOB write on the destination buffer. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11827
| CVE ID | CVE-2018-11827 |
| Title | Improper Validation of Array Index in WLAN |
| Description | wma_roam_synch_event_handler carries vdev_id as part of the synch event fixed_param to correspond the roam indication event to upper layer.If the value of vdev_id exceeds the wma->max_bssid value of 5, then an OOB write would happen. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11832
| CVE ID | CVE-2018-11832 |
| Title | Buffer Copy Without Checking Size of Input in PMIC |
| Description | Lack of input size validation before copying to buffer in reg_debug_volt_get() function can lead to heap overflow |
| Technology Area | PMIC |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/28/2018 |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11836
| CVE ID | CVE-2018-11836 |
| Title | Uncontrolled Resource Consumption in WLAN |
| Description | Improper length check can lead to out-of-bounds acess in ipa3_release_wdi_mapping |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-131 Incorrect Calculation of Buffer Size |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11840
| CVE ID | CVE-2018-11840 |
| Title | Double Free in WLAN |
| Description | While processing the GETIBSSPEERINFOALL wlan driver command ioctl a temporary buffer used to construct the reply message may be freed twice. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11842
| CVE ID | CVE-2018-11842 |
| Title | Use of Uninitialized Variable in WLAN |
| Description | During wlan association , driver allocates memory in API lim_send_assoc_req_mgmt_frame. In case the mem allocation fails driver does a mem free though the memory was not allocated. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-457 Use of Uninitialized Variable |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11843
| CVE ID | CVE-2018-11843 |
| Title | Possible Use-After-Free in wma_vdev_start_resp_handler |
| Description | wma_vdev_start_resp_handler invokes wma_send_msg which frees req_msg->user_data while handling hidden_ssid_vdev_restart event. If this req_msg->user_data is used again for other req->msg_type message types, then a possible use-after-free can occur in wma_vdev_start_resp_handler. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11851
| CVE ID | CVE-2018-11851 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | The driver fills the mcs_set array in hdd_update_tgt_ht_cap() for all rf_chains and does not have a upper boundary check to cfg->num_rf_chains, which could lead to out of bound write to the kernel stack. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11852
| CVE ID | CVE-2018-11852 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Improper check In the API wma_process_pdev_hw_mode_trans_ind for the inputs received from the firmware and then fills the same to the host structure hw_mode_trans_ind will lead to OOB write. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11860
| CVE ID | CVE-2018-11860 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | A potential buffer over flow could occur while processing the ndp event due to lack of check on the message length. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11863
| CVE ID | CVE-2018-11863 |
| Title | Potential buffer overflow in wma_fill_roam_synch_buffer |
| Description | In wma_fill_roam_synch_buffer, fils_info is received from the FW as part of roam synch event and contains kek_len and pmk_len. These lengths are used to copy the kek and pmk from the FW buffer to the roam_synch_ind_ptr (of kek length SIR_KEK_KEY_LEN_FILS and pmk length SIR_PMK_LEN) respectively.
If the kek_len exceeds the SIR_KEK_KEY_LEN_FILS or pmk_len exceeds the SIR_PMK_LEN value, a buffer overwrite would occur during memcpy. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11868
| CVE ID | CVE-2018-11868 |
| Title | Possible buffer overflow in wma_nan_rsp_event_handler |
| Description | Due to an issue in firmware the NAN rsp event sent by firmware may have invalid data length. Due to invalid length, buffer overflow occurs upon data copy when the data length is smaller than (WMI_SVC_MSG_MAX_SIZE – wmi_nan_event_hdr size) but is greater than (WMI_SVC_MSG_MAX_SIZE – wmi_nan_event_hdr – WMI_TLV_HDR_SIZE). |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11869
| CVE ID | CVE-2018-11869 |
| Title | Possible buffer overflow in wma_stats_ext_event_handler |
| Description | Due to an issue in firmware the extended stats event sent by firmware may have invalid data length. Due to invalid length, buffer overflow occurs upon data copy when the data length is smaller than (WMI_SVC_MSG_MAX_SIZE – wmi_stats_ext_event_fixed_param size) but is greater than (WMI_SVC_MSG_MAX_SIZE – wmi_stats_ext_event_fixed_param – WMI_TLV_HDR_SIZE). |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11878
| CVE ID | CVE-2018-11878 |
| Title | Return of Stack Variable Address in WLAN |
| Description | Possibility of invalid memory access while processing driver command GETFWSTATS and GETBCNMISSRATE in WLAN function |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-562 Return of Stack Variable Address |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11883
| CVE ID | CVE-2018-11883 |
| Title | Improper Input Validation in WLAN |
| Description | In policy mgr unit test if mode parameter in iwpriv wlan0 pm_pcl is given an out of bound value it can cause a out of bound access while accessing the PCL table. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11886
| CVE ID | CVE-2018-11886 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | In function wma_form_rx_packet, mpdu_data_len is calculated as (buf_len – mpdu_hdr_len). If the value of buf_len is less than mpdu_hdr_len, then a integer underflow would occur while calculating mpdu_data_len leading to very large value of mpdu_data_len. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 3/1/2018 |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11889
| CVE ID | CVE-2018-11889 |
| Title | Return of Stack Variable Address in WLAN |
| Description | When requesting rssi timeout, access invalid memory may occur since local variable ‘context’ stack data of wlan_hdd_get_peer_info() is free |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-562 Return of Stack Variable Address |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11891
| CVE ID | CVE-2018-11891 |
| Title | Potential OOB read in update_fils_data |
| Description | In function update_fils_data, fils_indication->num_variable_data is the actual length of the data present in the array variable_data. While accessing variable_data array to copy cache identifier, HESSID and realm identifiers, the length of the array is not checked and OOB read would occur |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11893
| CVE ID | CVE-2018-11893 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | While processing vendor scan request, when input argument – length of request IEs is greater than 2048 can lead to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/20/2018 |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11894
| CVE ID | CVE-2018-11894 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | While processing preferred network offload scan results integer overflow may lead to buffer overflow when large frame length is received from FW |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
|
CVE-2018-11895
| CVE ID | CVE-2018-11895 |
| Title | Potential Buffer Overflow in WLAN |
| Description | Improper length check Validation in WLAN fucntion can lead to driver writes the Default rsn capabilities ( 2 bytes ), to the memory not allocated to the frame |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11897
| CVE ID | CVE-2018-11897 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | While processing diag event after associating to a network out of bounds read occurs if ssid of the network joined is greater than max limit. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11898
| CVE ID | CVE-2018-11898 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | While processing start bss request from upper layer, out of bounds read occurs if ssid length is greater than 32. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11902
| CVE ID | CVE-2018-11902 |
| Title | Improper Validation of Array Index in WLAN |
| Description | In function ol_rx_in_order_indication_handler, msdu_count is processed from msg_word, which is sent by firmware. msdu_count is later used unchecked in function htt_rx_ring_fill_n, which can cause OOB access if the value of msdu_count is not valid. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 4/3/2018 |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11903
| CVE ID | CVE-2018-11903 |
| Title | Improper Validation of Array Index in WLAN |
| Description | In the function wma_update_intf_hw_mode_params, vdev_id received from the caller function wma_pdev_set_hw_mode_resp_evt_handler, is used as the array index for wma->interfaces. If vdev_id exceeds wma->max_bssid(5) then a possible OOB write could occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/2/2018 |
| Patch |
CVE-2018-11904
CVE-2018-3570
| CVE ID | CVE-2018-3570 |
| Title | Untrusted Pointer Dereference in Power |
| Description | Improper usage of list_for_each macro In the cpuidle drive can lead to an untrusted pointer dereference. |
| Technology Area | Power |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/10/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3573
| CVE ID | CVE-2018-3573 |
| Title | Improper Restriction of Operations within the Bounds of a Memory Buffer in Boot |
| Description | While relocating kernel images with a specially crafted boot image, an out of bounds access can occur. |
| Technology Area | Boot |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/2/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3574
| CVE ID | CVE-2018-3574 |
| Title | Improper Input Validation in Kernel |
| Description | Userspace can request ION cache maintenance on a secure ION buffer for which the ION_FLAG_SECURE ion flag is not set and cause the kernel to attempt to perform cache maintenance on memory which does not belong to HLOS. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/1/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2018-3586
| CVE ID | CVE-2018-3586 |
| Title | Integer Overflow to Buffer Overflow in Multimedia |
| Description | An integer overflow to buffer overflow vulnerability exists in the ADSPRPC heap manager. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/25/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3597
| CVE ID | CVE-2018-3597 |
| Title | Improper Input Validation in Multimedia |
| Description | In the ADSP RPC driver, an arbitrary kernel write can occur. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Network |
| Security Rating | High |
| Date Reported | 11/2/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5889
| CVE ID | CVE-2018-5889 |
| Title | Improper Restriction of Operations within the Bounds of a Memory Buffer in Boot |
| Description | While processing a compressed kernel image, a buffer overflow can occur. |
| Technology Area | Boot |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5905
| CVE ID | CVE-2018-5905 |
| Title | Buffer Copy Without Checking Size of Input in DIAG |
| Description | A race condition while accessing driver->num_clients can lead to out of boundary access for driver->client_map and driver->data_read data structures |
| Technology Area | Core Services |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/8/2017 |
| Customer Notified Date | 5/7/2018 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific
scenarios that involves local denial of service or privilege escalation
vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | September 4, 2018 | Bulletin Published |
| 1.1 | August 9, 2019 | Added links to CVE-2018-11894 and CVE-2018-11902 |